forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
loginoptions.go
412 lines (350 loc) · 12.8 KB
/
loginoptions.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
package login
import (
"bytes"
"crypto/tls"
"crypto/x509"
"fmt"
"io"
"net"
"os"
"path/filepath"
"time"
kerrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
restclient "k8s.io/client-go/rest"
kclientcmd "k8s.io/client-go/tools/clientcmd"
kclientcmdapi "k8s.io/client-go/tools/clientcmd/api"
kterm "k8s.io/kubernetes/pkg/kubectl/util/term"
"github.com/openshift/origin/pkg/client/config"
cmdutil "github.com/openshift/origin/pkg/cmd/util"
"github.com/openshift/origin/pkg/cmd/util/term"
"github.com/openshift/origin/pkg/oc/cli/cmd/errors"
loginutil "github.com/openshift/origin/pkg/oc/cli/cmd/login/util"
cliconfig "github.com/openshift/origin/pkg/oc/cli/config"
"github.com/openshift/origin/pkg/oc/util/tokencmd"
projectclient "github.com/openshift/origin/pkg/project/generated/internalclientset"
userapi "github.com/openshift/origin/pkg/user/apis/user"
)
const defaultClusterURL = "https://localhost:8443"
const projectsItemsSuppressThreshold = 50
// LoginOptions is a helper for the login and setup process, gathers all information required for a
// successful login and eventual update of config files.
// Depending on the Reader present it can be interactive, asking for terminal input in
// case of any missing information.
// Notice that some methods mutate this object so it should not be reused. The Config
// provided as a pointer will also mutate (handle new auth tokens, etc).
type LoginOptions struct {
Server string
CAFile string
InsecureTLS bool
// flags and printing helpers
Username string
Password string
Project string
// infra
StartingKubeConfig *kclientcmdapi.Config
DefaultNamespace string
Config *restclient.Config
Reader io.Reader
Out io.Writer
ErrOut io.Writer
// cert data to be used when authenticating
CertFile string
KeyFile string
Token string
PathOptions *kclientcmd.PathOptions
CommandName string
RequestTimeout time.Duration
}
// Gather all required information in a comprehensive order.
func (o *LoginOptions) GatherInfo() error {
if err := o.gatherAuthInfo(); err != nil {
return err
}
if err := o.gatherProjectInfo(); err != nil {
return err
}
return nil
}
// getClientConfig returns back the current clientConfig as we know it. If there is no clientConfig, it builds one with enough information
// to talk to a server. This may involve user prompts. This method is not threadsafe.
func (o *LoginOptions) getClientConfig() (*restclient.Config, error) {
if o.Config != nil {
return o.Config, nil
}
if len(o.Server) == 0 {
// we need to have a server to talk to
if kterm.IsTerminal(o.Reader) {
for !o.serverProvided() {
defaultServer := defaultClusterURL
promptMsg := fmt.Sprintf("Server [%s]: ", defaultServer)
o.Server = term.PromptForStringWithDefault(o.Reader, o.Out, defaultServer, promptMsg)
}
}
}
clientConfig := &restclient.Config{}
// ensure clientConfig has timeout option
if o.RequestTimeout > 0 {
clientConfig.Timeout = o.RequestTimeout
}
// normalize the provided server to a format expected by config
serverNormalized, err := config.NormalizeServerURL(o.Server)
if err != nil {
return nil, err
}
o.Server = serverNormalized
clientConfig.Host = o.Server
// use specified CA or find existing CA
if len(o.CAFile) > 0 {
clientConfig.CAFile = o.CAFile
clientConfig.CAData = nil
} else if caFile, caData, ok := findExistingClientCA(clientConfig.Host, *o.StartingKubeConfig); ok {
clientConfig.CAFile = caFile
clientConfig.CAData = caData
}
// try to TCP connect to the server to make sure it's reachable, and discover
// about the need of certificates or insecure TLS
if err := dialToServer(*clientConfig); err != nil {
switch err.(type) {
// certificate authority unknown, check or prompt if we want an insecure
// connection or if we already have a cluster stanza that tells us to
// connect to this particular server insecurely
case x509.UnknownAuthorityError, x509.HostnameError, x509.CertificateInvalidError:
if o.InsecureTLS ||
hasExistingInsecureCluster(*clientConfig, *o.StartingKubeConfig) ||
promptForInsecureTLS(o.Reader, o.Out, err) {
clientConfig.Insecure = true
clientConfig.CAFile = ""
clientConfig.CAData = nil
} else {
return nil, getPrettyErrorForServer(err, o.Server)
}
// TLS record header errors, like oversized record which usually means
// the server only supports "http"
case tls.RecordHeaderError:
return nil, getPrettyErrorForServer(err, o.Server)
default:
if _, ok := err.(*net.OpError); ok {
return nil, fmt.Errorf("%v - verify you have provided the correct host and port and that the server is currently running.", err)
}
return nil, err
}
}
o.Config = clientConfig
return o.Config, nil
}
// Negotiate a bearer token with the auth server, or try to reuse one based on the
// information already present. In case of any missing information, ask for user input
// (usually username and password, interactive depending on the Reader).
func (o *LoginOptions) gatherAuthInfo() error {
directClientConfig, err := o.getClientConfig()
if err != nil {
return err
}
// make a copy and use it to avoid mutating the original
t := *directClientConfig
clientConfig := &t
// if a token were explicitly provided, try to use it
if o.tokenProvided() {
clientConfig.BearerToken = o.Token
if me, err := whoAmI(clientConfig); err == nil {
o.Username = me.Name
o.Config = clientConfig
fmt.Fprintf(o.Out, "Logged into %q as %q using the token provided.\n\n", o.Config.Host, o.Username)
return nil
} else {
if kerrors.IsUnauthorized(err) {
return fmt.Errorf("The token provided is invalid or expired.\n\n")
}
return err
}
}
// if a username was provided try to make use of it, but if a password were provided we force a token
// request which will return a proper response code for that given password
if o.usernameProvided() && !o.passwordProvided() {
// search all valid contexts with matching server stanzas to see if we have a matching user stanza
kubeconfig := *o.StartingKubeConfig
matchingClusters := getMatchingClusters(*clientConfig, kubeconfig)
for key, context := range o.StartingKubeConfig.Contexts {
if matchingClusters.Has(context.Cluster) {
clientcmdConfig := kclientcmd.NewDefaultClientConfig(kubeconfig, &kclientcmd.ConfigOverrides{CurrentContext: key})
if kubeconfigClientConfig, err := clientcmdConfig.ClientConfig(); err == nil {
if me, err := whoAmI(kubeconfigClientConfig); err == nil && (o.Username == me.Name) {
clientConfig.BearerToken = kubeconfigClientConfig.BearerToken
clientConfig.CertFile = kubeconfigClientConfig.CertFile
clientConfig.CertData = kubeconfigClientConfig.CertData
clientConfig.KeyFile = kubeconfigClientConfig.KeyFile
clientConfig.KeyData = kubeconfigClientConfig.KeyData
o.Config = clientConfig
fmt.Fprintf(o.Out, "Logged into %q as %q using existing credentials.\n\n", o.Config.Host, o.Username)
return nil
}
}
}
}
}
// if kubeconfig doesn't already have a matching user stanza...
clientConfig.BearerToken = ""
clientConfig.CertData = []byte{}
clientConfig.KeyData = []byte{}
clientConfig.CertFile = o.CertFile
clientConfig.KeyFile = o.KeyFile
token, err := tokencmd.RequestToken(o.Config, o.Reader, o.Username, o.Password)
if err != nil {
return err
}
clientConfig.BearerToken = token
me, err := whoAmI(clientConfig)
if err != nil {
return err
}
o.Username = me.Name
o.Config = clientConfig
fmt.Fprint(o.Out, "Login successful.\n\n")
return nil
}
// Discover the projects available for the established session and take one to use. It
// fails in case of no existing projects, and print out useful information in case of
// multiple projects.
// Requires o.Username to be set.
func (o *LoginOptions) gatherProjectInfo() error {
me, err := o.whoAmI()
if err != nil {
return err
}
if o.Username != me.Name {
return fmt.Errorf("current user, %v, does not match expected user %v", me.Name, o.Username)
}
projectClient, err := projectclient.NewForConfig(o.Config)
if err != nil {
return err
}
projectsList, err := projectClient.Project().Projects().List(metav1.ListOptions{})
// if we're running on kube (or likely kube), just set it to "default"
if kerrors.IsNotFound(err) || kerrors.IsForbidden(err) {
fmt.Fprintf(o.Out, "Using \"default\". You can switch projects with:\n\n '%s project <projectname>'\n", o.CommandName)
o.Project = "default"
return nil
}
if err != nil {
return err
}
projectsItems := projectsList.Items
projects := sets.String{}
for _, project := range projectsItems {
projects.Insert(project.Name)
}
if len(o.DefaultNamespace) > 0 && !projects.Has(o.DefaultNamespace) {
// Attempt a direct get of our current project in case it hasn't appeared in the list yet
if currentProject, err := projectClient.Project().Projects().Get(o.DefaultNamespace, metav1.GetOptions{}); err == nil {
// If we get it successfully, add it to the list
projectsItems = append(projectsItems, *currentProject)
projects.Insert(currentProject.Name)
}
}
switch len(projectsItems) {
case 0:
canRequest, err := loginutil.CanRequestProjects(o.Config, o.DefaultNamespace)
if err != nil {
return err
}
msg := errors.NoProjectsExistMessage(canRequest, o.CommandName)
fmt.Fprintf(o.Out, msg)
o.Project = ""
case 1:
o.Project = projectsItems[0].Name
fmt.Fprintf(o.Out, "You have one project on this server: %q\n\n", o.Project)
fmt.Fprintf(o.Out, "Using project %q.\n", o.Project)
default:
namespace := o.DefaultNamespace
if !projects.Has(namespace) {
if namespace != metav1.NamespaceDefault && projects.Has(metav1.NamespaceDefault) {
namespace = metav1.NamespaceDefault
} else {
namespace = projects.List()[0]
}
}
current, err := projectClient.Project().Projects().Get(namespace, metav1.GetOptions{})
if err != nil && !kerrors.IsNotFound(err) && !kerrors.IsForbidden(err) {
return err
}
o.Project = current.Name
// Suppress project listing if the number of projects available to the user is greater than the threshold. Prevents unnecessarily noisy logins on clusters with large numbers of projects
if len(projectsItems) > projectsItemsSuppressThreshold {
fmt.Fprintf(o.Out, "You have access to %d projects, the list has been suppressed. You can list all projects with '%s projects'\n\n", len(projectsItems), o.CommandName)
} else {
fmt.Fprintf(o.Out, "You have access to the following projects and can switch between them with '%s project <projectname>':\n\n", o.CommandName)
for _, p := range projects.List() {
if o.Project == p {
fmt.Fprintf(o.Out, " * %s\n", p)
} else {
fmt.Fprintf(o.Out, " %s\n", p)
}
}
fmt.Fprintln(o.Out)
}
fmt.Fprintf(o.Out, "Using project %q.\n", o.Project)
}
return nil
}
// Save all the information present in this helper to a config file. An explicit config
// file path can be provided, if not use the established conventions about config
// loading rules. Will create a new config file if one can't be found at all. Will only
// succeed if all required info is present.
func (o *LoginOptions) SaveConfig() (bool, error) {
if len(o.Username) == 0 {
return false, fmt.Errorf("Insufficient data to merge configuration.")
}
globalExistedBefore := true
if _, err := os.Stat(o.PathOptions.GlobalFile); os.IsNotExist(err) {
globalExistedBefore = false
}
newConfig, err := cliconfig.CreateConfig(o.Project, o.Config)
if err != nil {
return false, err
}
cwd, err := os.Getwd()
if err != nil {
return false, err
}
baseDir, err := cmdutil.MakeAbs(filepath.Dir(o.PathOptions.GetDefaultFilename()), cwd)
if err != nil {
return false, err
}
if err := cliconfig.RelativizeClientConfigPaths(newConfig, baseDir); err != nil {
return false, err
}
configToWrite, err := cliconfig.MergeConfig(*o.StartingKubeConfig, *newConfig)
if err != nil {
return false, err
}
if err := kclientcmd.ModifyConfig(o.PathOptions, *configToWrite, true); err != nil {
if !os.IsPermission(err) {
return false, err
}
out := &bytes.Buffer{}
fmt.Fprintf(out, errors.ErrKubeConfigNotWriteable(o.PathOptions.GetDefaultFilename(), o.PathOptions.IsExplicitFile(), err).Error())
return false, fmt.Errorf("%v", out)
}
created := false
if _, err := os.Stat(o.PathOptions.GlobalFile); err == nil {
created = created || !globalExistedBefore
}
return created, nil
}
func (o LoginOptions) whoAmI() (*userapi.User, error) {
return whoAmI(o.Config)
}
func (o *LoginOptions) usernameProvided() bool {
return len(o.Username) > 0
}
func (o *LoginOptions) passwordProvided() bool {
return len(o.Password) > 0
}
func (o *LoginOptions) serverProvided() bool {
return (len(o.Server) > 0)
}
func (o *LoginOptions) tokenProvided() bool {
return len(o.Token) > 0
}